Trust is the common denominator that differentiates industry leaders from their peers. Managed correctly encryption and certificate-based authentication provide the foundation of trust: security, privacy, authenticity, and compliance. Learn how CME Group is managing control over trust across their organization with enterprise key and certificate management. These slides were presented at the RSA Conference 2013 in San Francisco. The full presentation with audio is available at http://www.venafi.com/cme-group-case-study/.
2. LEARNING OBJECTIVES
► Building the Business Case for Trust
► Building Trust
► Maintaining Trust
► Lessons learned and what you can do starting next week!
3. ABOUT CME GROUP
► Worlds largest and most diverse futures exchange in the
world.
► CME Group is comprised of
► Chicago Mercantile Exchange (CME)
► Chicago Board of Trade (CBOT)
► New York Mercantile Exchange (NYMEX)
► Commodities Exchange (COMEX)
► Where the world comes to manage risk
4. ABOUT CME GROUP
► Highly Regulated Industry
► Commodities Futures Trading Commission (CFTC)
► Securities and Exchange Commission (SEC)
► The Numbers
► 13.4 Million Average Daily Trades
► 3.4 Billion Contracts Traded in 2011
► Over $1 Quadrillion in Notational Value in 2011
► 1 Quadrillion = 1000 Trillion
5. BUILDING THE BUSINESS CASE
► Move to common authentication scheme
► Replace PAC files
► Replace RSA Tokens
► Lower authentication TCO
► Replace RSA Token after 2011 breach in trust
► Bring security controls in house
► Improve existing PKI assurance
6. BUIDLING TRUST
► Build PKI with a high level of assurance
► Secured with offline CAs
► Secured with Hardware Security Modules
► Secured with multi-party authentication
9. MAINTAINING TRUST
► What can break trust?
► Lax Access Controls
► Who has access to your private keys? Are you sure? Can you prove it?
► Antiquated Security Standards
► Insecure hashing algorithms
► Outdated Key Length
16. LESSONS LEARNED
What We Didn’t Know
► Level of required processes
► Documentation
► Key Transport
► Cross Organizational Engagement Creates Trust
► Trust Creates Demand
17. LESSONS LEARNED
How Our Process is Changing
► Built-in
► Policy enforcement
► Visibility & tracking
► Support many, many different use cases
► Devices
► Encryption v. authentication
► When to use Internal v. Hosted PKI
► Less reliance on hosted PKI
18. LESSONS LEARNED
What’s next for CME Group
► Figuring out what we have
► Venafi Director for Internal and External Inventory Scans
► Prioritizing demand
► With limited PKI SMEs we have to prioritize.
► Internal Education
► PKI is voodoo!
► Automate, automate, automate!
► Policy Enforcement
► Enrollment
► Self Service
19. LESSONS LEARNED
What’s next for Your Organization?
► Today
► Do you have an internal PKI?
► What is the current state of your PKI?
► 3 Months
► Plan for certificate based encryption and authentication
► Develop your business case!
► 6 Months
► Budget money
► Budget time
► Engage SMEs for help. If you don’t get it right the first time, there
can’t be any trust!